From: Sean Young Date: Wed, 24 May 2017 09:24:51 +0000 (-0300) Subject: rc-core: race condition during ir_raw_event_register() X-Git-Tag: v3.2.93~48 X-Git-Url: https://git.openpandora.org/cgi-bin/gitweb.cgi?p=pandora-kernel.git;a=commitdiff_plain;h=bd33f9f3f4a8df2e4a6de42a606151bd0bd13d80;ds=sidebyside rc-core: race condition during ir_raw_event_register() commit 963761a0b2e85663ee4a5630f72930885a06598a upstream. A rc device can call ir_raw_event_handle() after rc_allocate_device(), but before rc_register_device() has completed. This is racey because rcdev->raw is set before rcdev->raw->thread has a valid value. Reported-by: kbuild test robot Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.2: adjust filename, context, indentation] Signed-off-by: Ben Hutchings --- diff --git a/drivers/media/rc/ir-raw.c b/drivers/media/rc/ir-raw.c index 2e5cd3100b64..3a5a5b60f1c6 100644 --- a/drivers/media/rc/ir-raw.c +++ b/drivers/media/rc/ir-raw.c @@ -225,7 +225,7 @@ void ir_raw_event_handle(struct rc_dev *dev) { unsigned long flags; - if (!dev->raw) + if (!dev->raw || !dev->raw->thread) return; spin_lock_irqsave(&dev->raw->lock, flags); @@ -252,6 +252,7 @@ int ir_raw_event_register(struct rc_dev *dev) { int rc; struct ir_raw_handler *handler; + struct task_struct *thread; if (!dev) return -EINVAL; @@ -269,14 +270,16 @@ int ir_raw_event_register(struct rc_dev *dev) goto out; spin_lock_init(&dev->raw->lock); - dev->raw->thread = kthread_run(ir_raw_event_thread, dev->raw, - "rc%ld", dev->devno); + thread = kthread_run(ir_raw_event_thread, dev->raw, "rc%ld", + dev->devno); - if (IS_ERR(dev->raw->thread)) { - rc = PTR_ERR(dev->raw->thread); + if (IS_ERR(thread)) { + rc = PTR_ERR(thread); goto out; } + dev->raw->thread = thread; + mutex_lock(&ir_raw_handler_lock); list_add_tail(&dev->raw->list, &ir_raw_client_list); list_for_each_entry(handler, &ir_raw_handler_list, list)